Executive Cyber Intelligence Bi-Weekly Report by INSS-CSFI
March 18th, 2014
Two weeks of diverse cyber-attacks in Israeli cyberspace
Since the start of the month, Israeli companies are experiencing numerous cyber-attacks. One of the companies, Wix, which provides a platform for building html5 sites, reported a DDoS attack hitting their services. Wix has a defense system allowing them to deal with cyber-attacks; nevertheless, the magnitude of this cyber-attack made a variety of Wix sites go offline. The cyber consulting company, Cyber Hat, reported the spread of the Cryptolocker malware in some Israeli companies, which is a ransomware deployed to a company network by phishing and encrypts files onto the company servers. The original email from Cryptolocker comes with a ransom note demanding payment of 400 Euros through Bitcoin currency in return for the decrypting files.
The increase of cyber-attacks co-exists with the Anonymous operation #OpIsraelBirthday, which is scheduled to take place April 4th and is meant to erase Israel from the Internet. #OpIsrael is being led by members of AnonGhost, which held a previous #OpIsrael operation in April, 2013. AnonGhost is known as a prevalent player behind Mauritania Attacks. The first phase of the cyber operation was held on March 10th, but except for a few personal files published, there was no report of a major damage. AnonGhost uses social media networks like Facebook and Twitter to spread malware coded programs for those wishing to participate, with a blog including a YouTube video and a countdown to April 4th. According to The Amman Group disclosed, an Israeli cyber security firm, as the date of #OpIsraelBirthday approaches, more Israeli websites are being compromised, with databases exposed.
SEA claims to have succeeded in hacking CENTCOM
Syrian Electronic Army (SEA) breached the United States Central Command (CENTCOM), enabling them to access hundreds of confidential documents. SEA tweeted they targeted CENTCOM. In response to doubt, SEA posted a screen shot of the information on Twitter depicting a military system in the US Air Force and Army Knowledge Online (AKO) with folders directing to command units. However, it appeared that the screenshot was of unclassified information only. AKO, a sharing network for military members to confidentially access unclassified and FOUO information, was slow to respond to the attack, and CENTCOM denied the cyber breach. SEA expressed the attack was because of President Obama’s decision to attack SEA through cyber warfare. Additionally, SEA threatens more information will be published.
Vice Adm. Michael Rogers, elected Director of NSA, offered a grim assessment of the growing cyber threat against the United States and their abilities to overcome the risks. He stated that enemies may consider the U.S. “an easier mark” because the procedures and requirements facing a response to cyber-attacks “lead the adversary to believe, rightly or wrongly, that we do not have the will to respond in a timely or proportionate manner.” Rogers added improvements to staffing and resources will be made to the Cyber Command will be one of the responses.
AKO does NOT contain classified information. Communication via AKO is meant to be confidential (encrypted, with military users accessing it with their CAC [Common Access Card]), but it is not for classified files.
Russian citizens called for terrorist activities on social networks
Because of the continued crisis in the Ukraine, which began in November, 2013 that led to the invasion of Russian troops to the Crimea peninsula, news and media source, Dojd TV, reported the Office of the General Russia Federation Prosecutor appealed to the FSB (Russian Federal Security Service) to block community and social media networks. Prosecutors found the appeal to “address the Russian citizens with direct appeals to carry out terrorist activities and to participate in unsanctioned public events.” After the removal of illegal information, some community networks were again unblocked. It is still unclear how the operation was executed.
Kuwait urges Arab countries to unite against security challenges
In a meeting held in Marrakech, Morocco, on March 11, Kuwait’s Deputy Prime Minister and Minister of Interior, Sheikh Mohammad Khaled Al-Hamad Al-Sabah, appealed to Arab countries to unite in the face of security challenges, while pushing forward with economic developments. At the Arab Interior Ministers’ meeting held in March, Sheikh Mohammad underlined Kuwait’s support to uniform Arab positions and addressed security challenges the Arab region is facing in the coming year. The Kuwaiti official explained that Arab countries need to double the efforts in the face of rumors spreading through social media networks of violent behavior, money laundering, counterfeiting, drugs, organized crimes, and cyber crimes.
Kenya’s ministry of transport website hacked
A Turkish Muslim group named Ayyildiz Tim, hacked the Kenyan Ministry of Transport website, accusing the Kenyan government of disrespecting Islam. The hackers published the following message on the government website: “All the Muslims are together. The CYBER-WAR will be appeared all the Countries which not respecting Islam. Ayyildiz promises that they will visit your areas too…” Ayyildiz Tim supports terrorist organizations and threatens a surge of cyber-attacks hitting Kenya since the incursion into Somalia to fight Al Shabaab, a terrorist organization.
Iran and Russia partnering to launch cyber-attacks
Former chairman of the House’s Permanent Select Committee on Intelligence, Rep. Peter Hoekstra, stated in a lecture in front of lawmakers that the Iranian regime is emerging as a “world class” cyber threat, mainly due to its close ties to Russia and cooperation between the two states will only increase in the coming months. According to Hoekstra, “Iran and Russia will develop a much closer relationship… Russia and Iran have so much to gain from more significant cooperation, and the immediate impacts will be profound.” This cooperation is becoming more significant given Russia’s continued aggressive stance toward the USA.
China and APAC
New Chinese stealth fighter aircraft created because of cyber-spying operation.
For several years cyber espionage became the specialty of China, which has many cyber espionage operations against the U.S. defense industry to catch up on their industrial delay. The latest evidence of the intensive cyber espionage activity is the launch of a new stealth fighter jet constructed with stolen plans through a cyber-espionage operation conducted several years ago against the F-35 Lightning II from Lockheed Martin. Proof of the stolen plans was confirmed through a Chinese military forum. Pictures were published of a recently developed version of the J-20 stealth jet, a twin aircraft under development by the Chinese People Liberation’s Army.
According to the Washington Free Beacon, the initial J-20 prototype was revealed in 2011 through a video showing the aircraft equipped with new electro-optical targeting system assisting the aircraft to hide from radars. According to the Pentagon, a Chinese military group known as Technical Reconnaissance Bureau based in the Chengdu province stole the data. The information was passed to the Aviation Industry Corporation (AVIC), which transferred the stolen plans to the Chengdu Aircraft Industry Group, incorporating the information into the new design.
UK expanding cyber training to children
The UK government intends to train children ages 11-14 in cyber security in an effort to prepare future generations in the UK for cyber threats, technological skills, and economic growth by providing the necessary materials to take part in advanced understanding of such topics through apprenticeships. This concept is part of the “Cyber Security Skills: Business Perspectives and Government Next Steps,” which was published with feedback directly from businessmen in the private and public sector. Children interested can sign up for the Massive Open Online Course, as well as be part of the Secure Futures provided in certain cities in England. Sire David Pepper, part of the Cyber Security Skills Alliance stated: “It is clear from this and our own research that the national shortage of cyber skills is a key issue for businesses and government in the fight against the growing threat from cyber crime.”
NATO websites targeted by Ukrainian cyber-attack
On March 15th, several NATO websites were targeted by a cyber-attack related to the Russian-Ukrainian conflict. A group of hackers called ”Cyber Buerkout” claimed the attack was carried out by Ukrainian patriots unhappy about the way NATO is dealing within their country. The Berkout, the anti-riot Ukrainian police, was disbanded. The police were accused of killing dozens of protesters in the days leading up to the impeachment of President Viktor Yanukovych on February 22. Cyber Berkout Groups already attacked several Ukrainian websites in the past weeks, according to computer security experts. Cyber hacktavists, Anonymous, have also assisted in the cause with #OpRussia leaking state documents. This is one example of cyber warfare being conducted in the Crimea crisis against government websites and officials. Networks all over the Ukraine have been infected with malicious software performing surveillance, access personal data, and DoS and DDoS attacks. Many malware and breaches have been traced back to Russia such as the malware Snake. The cyber aggression has been performed on both sides.
Latvia establishing new Cyber Defense Unit
Latvia launched a new cyber defense unit, which has become an extension of the National Guard of Latvia. It will be composed of 13 cyber security experts coming from both the private and public sector. Among them will be Eric Dobelis, a computer expert running an IT consulting company in Riga. In case of serious cyber-attacks on Latvia’s critical infrastructures, the cyber unit will cooperate with Latvia’s Computer Security Incident Response Team charged with responding to cyber-attacks. Moreover, the new cyber unit operates under the authority of the Latvia’s Ministry of Defense and has access to more than 600 IT experts working for the government. According to Ministry of Defense, people applying to join the Cyber Defence Unit are checked for security clearance before receiving classified information. The intention is to expand the unit to a 100 guardsmen in the coming years. Additionally, they envision creating a similar team consisting of teenage IT security experts. Like Hungry, Lithuania, Poland, and Slovakia, Latvia is part of the NATO cyber defence cooperation and has cyber soldiers working at the NATO cooperative Cyber Defence of Excellence.
This document was prepared by The Institute for National Security Studies (INSS) – Israel and The Cyber Security Forum Initiative (CSFI) – USA to create better cyber situational awareness (Cyber SA) of the nature and scope of threats and hazards to national security worldwide in the domains of cyberspace and open source intelligence. It is provided to Federal, State, Local, Tribal, Territorial and private sector officials to aid in the identification and development of appropriate actions, priorities, and follow-on measures. This product may contain U.S. person information that has been deemed necessary for the intended recipient to understand, assess, or act on the information provided. It should be handled in accordance with the recipient’s intelligence oversight and/or information handling procedures. Some content may be copyrighted. These materials, including copyrighted materials, are intended for “fair use” as permitted under Title 17, Section 107 of the United States Code (“The Copyright Law”). Use of copyrighted material for unauthorized purposes requires permission from the copyright owner. Any feedback regarding this report or requests for changes to the distribution list should be directed to the Open Source Enterprise via unclassified e-mail at: [email protected].com. CSFI and the INSS would like to thank the Cyber Intelligence Analysts who worked on collecting and summarizing this report.